<Overview of Stream Cipher>
Ciphers are used as a technique for making data confidential. Among ciphers, in order to perform high speed encryption and decryption, there is a stream cipher which sequentially encrypts a plain text, by bit units, byte units, or the like. A typical stream cipher includes a key stream generator which generates a key stream, and a combination unit which combines the key stream and the plain text. For example, in encryption processing, with a secret key as a seed, a pseudo-random number is generated (key stream generator), and an XOR operation is performed on this pseudo-random number and the plain text (combination unit), to generate a cipher text. Here, XOR indicates an exclusive OR operation for each bit.
Assuming that the plain text is P, the pseudo-random number is R, and the cipher text is C, a relationship is as follows:PXORR=C 
In decryption processing, the plain text can be derived by generating a pseudo-random number from the same seed and performing an XOR operation on the cipher text.
The following relationship holds:
                              C          ⁢                                          ⁢          XOR          ⁢                                          ⁢          R                =                ⁢                              (                          P              ⁢                                                          ⁢              XOR              ⁢                                                          ⁢              R                        )                    ⁢          XOR          ⁢                                          ⁢          R                                        =                ⁢                  P          ⁢                                          ⁢                      XOR            ⁡                          (                              R                ⁢                                                                  ⁢                XOR                ⁢                                                                  ⁢                R                            )                                                              =                ⁢                  P          ⁢                                          ⁢          XOR          ⁢                                          ⁢          0                                        =                ⁢        P            and the following is obtained:CXORR=P <Security of Stream Cipher>
In the stream cipher, the combination unit is often implemented by simple processing such as XOR or the like. As a result, the security of the stream cipher depends on security of the pseudo-random number generated by the key stream generator.
Here, the security of the pseudo-random number depends on a pseudo-random number sequence to be generated thereafter not being predictable from an already observed pseudo-random number sequence.
For example, if the key stream generator has generated a key stream with repetitions such as a, b, c, a, b, c, . . . , since the pseudo-random number sequence to be generated thereafter is predictable from the already observed pseudo-random number sequence, the cipher text will be decrypted. This is because it is possible to execute an inverse operation of the combination unit.
That is, if the pseudo-random number R is predicted, the cipher text C is observed, and byCXORR=P it is possible to obtain the plain text P.
Giving consideration as in the above description, if the key stream generator generates a pseudo-random number that is not possible to predict, the stream cipher is secure. Stated in a reverse manner, if information can be found by which the pseudo-random number that is generated by the key stream generator can be distinguished from a true random number, it is possible to consider that security deteriorates in some way with respect to the stream cipher.
<Example of a Technique of Evaluating Security of a Stream Cipher>
There is a technique of evaluating the security of the stream cipher, based on the way of ideas described above. A technique of attack on a cipher in which an outputted cipher text or a pseudo-random number sequence is shown to be distinguished from a true random number sequence is referred to as a “distinguishing attack”.
With respect to distinguishing from the true random number, if the outputted cipher text or the pseudo-random number sequence is shown to have some sort of bias or characteristic, it is determined that the distinguishing has been realized.
In a distinguishing attack, a means which shows this type of bias or characteristic is referred to as a “distinguisher”, and discovering and creating the means in which this type of bias or characteristic is shown is referred to as a “constructing a distinguisher”. If the distinguisher can be constructed, the distinguishing attack can be applied.
If a distinguishing attack can be applied to a certain cipher, since there is a possibility that this cipher will leak information concerning the plain text or key, it cannot be guaranteed that the cipher is secure.
Therefore, if an alteration is added to the cipher to which the distinguishing attack can be applied, and the distinguishing attack can no longer to applied, it may be considered that the security of the cipher has been improved.
<Specific Example of Stream Cipher>
RC4 is an encryption algorithm developed by Ron Rivest, and is a stream cipher that is widely used as an encryption standard, such as RFC2246 (TLS), WEP, WPA, and the like. A specification of the RC4 has been made public by RFC2246 (TLS) and the like.
The RC4 has a characteristic in that a processing unit of n bits is variable, but if the processing unit n is made large, memory requirement becomes 2n, and a key schedule becomes extremely slow.
As a result, in actuality, there have been few implementations in which n exceeds 8 bits, and implementations exceeding 32 bits have not been possible.
Therefore, with RC4, implementations applied to recent processor sizes such as 32-bit/64-bit processors have not been possible.
So that such limitations do not occur with a 32-bit RC4, improvements have been made to realize an algorithm that can be implemented with high speed and small memory on a 32-bit/64-bit processor, as described in a paper (Non-Patent Document 1) published by G. Gong et al. in 2005.
In Non-Patent Document 1, in cases of a processing unit of 32 bits, there are successful implementations in which speed is restricted to approximately 3.1 times that of RC4, and memory is restricted to approximately 2^{−22} that of RC4.
Furthermore, by adding an internal variable k, an improvement is made to an algorithm in which a vulnerability of RC4 reported in the past (a statistical bias) does not occur.
<Gist of Attack Technique which is Dealt with by the Invention>
In cases of the algorithm of G. Gong et al., it is possible to construct a distinguisher in which the least significant bits of continuous output must match.
According to this distinguisher, distinguishing of a true random number sequence with a data amount of approximately 2^{30} is possible.
<Description of Improved Algorithm Proposed by G. Gong et al., to Exemplify the Attack Technique>
FIG. 2 illustrates the improved RC4 algorithm (32-bit RC4) proposed by G. Gong et al. in Non-Patent Document 1. In an RC4 type of stream cipher proposed by G. Gong et al., the number of entries in an array S is 2^{n}, and entry size of the array S is m bits.
Furthermore, in Non-Patent Document 1, since an initial constant ai of a KSA is defined only for a model with n=8 and m=32, in the present specification also, detailed analyses are also performed for a model with n=8 and m=32. Below, a description GGHN(n,m) is used for convenience, founded on basic processing units n and m.
As shown in FIG. 2, an RC4 type stream cipher GGHN(n,m) proposed by G. Gong et al., is configured of two processes KSA(K, S) and PRGA(S).
The KSA(K, S) performs a permutation of a 32-bit 256-element array, based on a key K of from 40 bits to 256 bits, being what is called an initial setting, and produces an initial state S.
The PRGA(S) is a process which generates a key stream, and generates a pseudo-random number at each point in time based on the state S.
Here, + represents mod N or mod M arithmetic addition, and N=2^{8}, and M=2^{32}. Furthermore, L represents the number of bytes of a secret key.
First, operation of the KSA(K, S) is described.
In the KSA, as initial values of the array S, by assigning an initial variable ai (S[i]=ai), and repeating a swap of S entries (Swap[S[i], S[j]]) and arithmetic addition (S[i]=S[i]+S[j] mod M), the S entries are mixed around.
In the KSA, since the internal variable k is also initialized by an S entry (k=k+S[i] mod M) being used, an initial value of k for the PRGA is unknown.
In the mixing around of the S entries, the number of loops r is variable, but, so that the probability of appearance of the S entries is random, a determination is made so as to select r=20 when m=32. In the proposal of G. Gong et al., it is determined to set r=40 when m=64.
A state immediately after KSA(K, S) has finished, in which PRGA(S) has not been started, is at time t=0. When time t=0, operation of the KSA(K, S) finishes, and it is expected that the state of the array S is sufficiently mixed around by the secret key K.
Next, operation of the PRGA(S) is described.
In the PRGA, arithmetic addition is performed of the variable k and a reference result of the array S, (S[(S[i]+[j]) mod N]) based on indexes i and j; and 1 word (1 word=32 bits) is outputted as a key stream (out=S[(S[i]+S[j]) mod N]+k) mod M). Furthermore, the S entry (S[(S[i]+S[j]) mod N]) that is referred to in order to generate the key stream, is updated using k immediately after the key stream output, (S[(S[i]+S[j]) mod N]=k+S[i] mod M). In FIG. 2, out (=S[(S[i]+S[j])mod N]=k+S[i] mod M) is the key stream which is output.
FIG. 3 illustrates operation (a state transition of the PRGA) at time t=1. In the array S, when a value S[1] of an address 1 is A, and a value S[A] of an address A is B, a value S[A+B] of an address A+B is k0+A+B.
FIG. 4 illustrates operation (a state transition of the PRGA) at time t=2. In the array S, when the value S[1] of the address 1 is A, the value S[A] of the address A is B, a value S[2] of an address 2 is C, a value S[A+C] of an address A+C is D, and a value S[A+B] of an address A+B is k0+A+B, a value S[C+D] of an address C+D is k0+B+C+D.
The security of the RC4 type stream cipher proposed by G. Gong et al. is reported in their paper (Non-Patent Document 1).
According to this, since the key stream is masked by arithmetic addition of the variable k at an S entry, if k is assumed to follow a uniform distribution according to KSA, it is shown that a bias does not occur in an output sequence.
Furthermore, the size of internal memory is 4 times that of RC4, and since S entries are updated by arithmetic addition, it is reported that security is improved also with respect to attacks seeking the internal memory.
However, if all S-box entries (elements of array S) and the variable k are even numbers at the same time, a “weak state” exists in which even numbers continue constantly thereafter. But, from the viewpoint of the size of the internal memory, since the probability of existence of the weak state is sufficiently small as to be considered not possible to occur, there is no problem with security.    [Non-Patent Document 1]    G. Gong, K. C. Gupta, M. Hell, and Y Nawaz, “Towards a General RC4-Like Keystream Generator”, SKLOIS Conference on Information Security and Cryptology, CISC 2005, LNCS 3822, pp. 162-174, Springer Verlag, 2005.    [Non-Patent Document 2]    I. Mantin and A. Shamir: “A Practical Attack on Broadcast RC4,” Fast Software Encryption, FSE 2001, LNCS 2355, pp. 152-164, Springer-Verlag, 2001.    [Non-Patent Document 3]    S. Paul, B. Preneel, and G. Sekar: “Distinguishing Attacks on the StreamCipher Py,” eSTREAM, the ECRYPT Stream Cipher Project, Report 2005/081, 2005.
The entire disclosure of Non-Patent Documents 1 to 3 is incorporated herein by reference thereto. The following analysis is given by the present invention.
<Description of GGHN(n,m) Attack Technique, “Distinguishing Attack”, that is an Object of the Invention>
With respect to analyzing GGHN(8, 32), a description is given concerning representation of variables and definitions.
The symbol · represents arithmetic multiplication.
The symbol ∥ represents concatenation of data.
The expression X<<<n represents a leftward n bit rotate of data X.
Furthermore, with lsb(X) as the least significant bit of the data X, and LSB(X) as the least significant byte,lsb(X)=X mod 2LSB(X)=X mod 2^{8}
At time t, variables i, j, and k are represented as it, jt, and kt.
Furthermore, at time t, an x-th S-box entry is represented as St[x].
The key stream outputted at time t is Ot, and the time at which a first key stream is outputted is t=1.
Here, an initial value of PRGA is defined as i0=0, and j0=0, and k0 is unknown.
Furthermore, regarding performing analyses, an attacker can freely obtain the key stream.
<Bias Between a First Output Word and a Second Output Word>
First, in order to describe the bias occurring between the first output word and the second output word of GGHN(8, 32), consideration is given to where conditions of the following Case 1 hold true.
<Case 1>LSB(S1[i1]+S1[j1])=LSB(S1[i1]); however, LSB(S1[i1])≠1  1.LSB(S2[i2]+S2[j2])=i2  2.
FIG. 5 and FIG. 6 illustrate state transitions of the least significant byte of the array S at t=1 and 2, in Case 1. In FIG. 5, in the array S the value S[1] of the address 1 is A, and the value S[A] of the address A, which should be k0+A, is 0, indicating an inconsistency. In FIG. 6, in the array S, the value S[1] of the address 1 is A, the value S[A] of the address A is k0+A, the value S[A+C] of the address A+C is 2−C, and the value S[2] of the address 2, which should be k0+2, is C, indicating an inconsistency.
From FIG. 2, when t=1, i1=1, and if LSB(S1[i1])=A, j1=A.
Here, when condition 1 of Case 1 is satisfied,LSB(S1[1]+S1[A])=LSB(S1[1])LSB(S1[A])=0  (1)so thatLSB(k1)=LSB(k0+S1[j1])=LSB(k0)
However, when A=1,LSB(S1[1]+S1[1])=LSB(S1[1])LSB(S1[1])=0≠1and since this is inconsistent with Expression 1, the conditionLSB(S1[i1])≠1 is derived.
In the key stream outputted at t=1, the following relationship holds true.LSB(01)=LSB(k0)  (2)
In the same way, when t=2, i2=2, and if LSB(S2[i2])=C, j2=A+C.
Here, when condition 2 of Case 1 is satisfied,LSB(S2[2]+S2[A+C])=2LSB(S2[A+C])=2−C 
In the key stream outputted at t=2, the following relationship holds true.LSB(O2)=LSB(k0+2)  (3)
Thus, from Expressions (2) and (3), the following relationship must hold concerning the first and second output words O1 and O2.lsb(O1)=lsb(O2)  (4)
In the same way, consideration is given regarding Case 2.
<Case 2>LSB(S1[i1]+S1[j1])=LSB(S1[i1]); however, LSB(S1[i1])≠1  1.LSB(S2[i2]+S2[j2])=j2  2.
FIG. 5 and FIG. 7 illustrate state transitions of the least significant byte of the array S at t=1 and 2, in Case 2. In FIG. 7, the value S[1] of the address 1 is A, the value S[2] of the address 2 is C, the value S[A] of the address A is k0+A, the value S[A+C] of the address A+C, which should be k0+A+C, is A, indicating an inconsistency.
Since the internal variable k at t=1 is the same as in Case 1, the relationship Expression (2) with respect to the key stream and the state transition of the array S is also the same.
When condition 2 of Case 2, when t=2, is satisfied,LSB(S2[2]+S2[A+C])=A+C LSB(S2[A+C])=A 
In the key stream outputted at t=2, the following relationship holds true.LSB(O2)=LSB(k0+2·S1[1])  (5)
Therefore, Expressions (2) and (5) must hold true when conditions 1 and 2 of Case 2 are satisfied.
In this way, in both Cases 1 and 2, the same relationship Expression (4) holds true between the first output word O1 and the second output word.
Next, a description is given regarding the fact that this Expression can be used as a distinguisher.
<Probability of Distinguisher Holding True and Necessary Data Amount>
Here, a description is given concerning the probability of Expression (4) used as the distinguisher holding true.
If an output sequence of GGHN(8, 32) is a true random number sequence, the probability that Expression (1), which is a distinguisher, holding true is 2^{−1}.
The probability of Expression (4) holding true is dependent on the structure of the PRGA, and is not dependent on the structure of the KSA.
Therefore, in the deliberation below, the array S and the variable k after the KSA is finished each independently follow a uniform distribution.
Firstly, the probabilities p1 and p2 that conditions 1 and 2 of Cases 1 and 2 hold true are as follows. Here, the probability p2 that condition 2 holds true is a probability that gives consideration to Cases 1 and 2.p1= 1/256· 255/256p2= 1/256· 1/256+ 255/256· 2/256
Here, when a condition of neither 1 nor 2 is satisfied, if the probability that Expression (1) holds true is assumed to ideally be ½, the probability pd that Expression (4) holds true for the output sequence of GGHN(8, 32) is given as follows.
  pd  =                              1          ·          p                ⁢                                  ⁢                  1          ·          p                ⁢                                  ⁢        2            +                        1          /          2                ·                  (                      1            -                          p              ⁢                                                          ⁢                              1                ·                p                            ⁢                                                          ⁢              2                                )                      ≈                  1        /        2            ·              (                  1          +                                    2              ⋀                        ⁢                          {                              -                15.01                            }                                      )            
Therefore, this is large in comparison to the probability ½ for the true random number sequence.
Next, when Expression (4) is a distinguisher, the data amount necessary for distinguishing between the output sequence of GGHN(8, 32) and a true random number sequence is considered.
According to Non-Patent Document 2, the amount of data necessary for distinguishing between two distributions is shown to be as follows.
For an event distribution X that occurs with a probability of p and an event distribution Y that occurs with a probability of p(q+1), when a certain event e occurs, in order to distinguish between X and Y with a success probability that cannot be ignored, a sample of O(1/pq^{2}) is necessary.
However, the abovementioned proposition holds true when p<<1.
In Non-Patent Document 3, when p=½, the amount of data necessary in order to distinguish between two distributions is shown to be as follows.
For an event distribution X that occurs with a probability of p=½ and an event distribution Y that occurs with a probability of ½(q+1), when a certain event e occurs, in order to distinguish between X and Y with a success probability that cannot be ignored, a sample of O(1/q^{2}) is necessary.
An event e in the present attacking is an event for which Expression (4) holds true, and it is possible to consider a distribution of the event e with respect to random numbers as X, and a distribution Y of event e with respect to an output sequence of GGHN(8, 32) as Y.
Therefore, since it is possible to consider p=2^{−1} and q=2^{−15.01}, the amount of data necessary for attacking is O(2^{30.02}.
Here, the required data amount is a value based on an assumption that the KSA of GGHN(8, 32) is a completely random permutation, and is a theoretical data amount obtained from a structural bias of the PRGA.
Therefore, with respect to GGHN(8, 32), by using the two head words of a key stream for theoretically approximately 2^{30} secret keys, it is possible to distinguish a true random number sequence.
In the description of “Bias between a First Output Word and a Second Output Word” (paragraphs 0050 to 0070), a description was given of a structuring method of a distinguisher with respect to the leading two words of the key stream, but a similar relationship holds true for two words of a continuous key stream at an arbitrary time t in Case 1.
Thus, a counter-measure of discarding a few head words of the key stream has no effect.
The “Description of GGHN(n, m) Attack Technique, ‘Distinguishing Attack’, that is an Object of the Invention” as described above can be summarized in FIG. 5 through FIG. 9.
FIG. 9 represents a data amount (theoretical value) necessary for attacking, and, for cases assuming output equality in which S-box entries are uniformly random by initial processing, describes flow for seeking a theoretical value of the data amount necessary for attacking.
In FIG. 9, output equality is assumed in which the S-box entries are uniformly random by initial processing. This means that at a time of attacking all 256 S values have a possibility of appearing. In FIG. 9, the probability p1 (= 1/256) and the probability p2 (= 255/256) respectively correspond to the probability of condition 1 occurring, and the probability of condition 2 occurring, with regard to FIG. 5. Furthermore, in FIG. 9, a probability p3 (=( 1/256)·( 1/256)+( 255/256)( 2/256)= 512/2562) corresponds to a probability that condition 3 will occur with regard to FIG. 7, or that condition 4 will occur with regard to FIG. 6. An amount of data necessary for attacking is O(q−2)=O(230.02).
As shown in FIG. 8, it is possible to construct a distinguisher of the improved algorithm proposed by G. Gong et al. FIG. 8 is a figure describing the fact that the Expressionlsb(O1)=lsb(O2)is taken as the distinguisher.
The lower 8 bits of continuous output are as follows.O1=k0O2=k0+2A  (condition 3),O2=k0+2  (condition 4)
Therefore, when Expression (4) is the distinguisher, it is possible to distinguish between the output sequence of GGHN(8, 32) and a true random number sequence.
The inventors of the present invention carried out experiments to confirm this, and a description is given below. FIG. 10 and FIG. 11 summarize results of the experiment. FIG. 10 illustrates a probability obtained by a computer experiment and the data amount necessary for attacking. FIG. 11 illustrates a result confirming whether a distinguisher of FIG. 8 is functioning, while making a given data amount N change, in accordance with the computer experiment.
That is, in FIG. 11, the number of times the distinguisher of FIG. 8 holds, while making the given data amount N change, is obtained. An experiment with 100 cases of the secret key is performed, and a rate of rejection is obtained. WhenX−2^{N−1}>(½)·√(2^{N−1}−2^{N−2})is satisfied, if not a random number, it is rejected (if a random number, 30.5% is obtained). Below, the experiment is described.<Description of Experiment Result>
When Expression (4) is a distinguisher, as shown in FIG. 9, a confirmation is done as to whether or not it is possible to distinguish between the output sequence of GGHN(8, 32) and a true random number sequence. The experiment procedure is as follows.
1. The secret key is randomly changed 2^{w} times, and the key streams of GGHN(8, 32) each have 2-word generation.
2. The number of times the Expression (1) holds true with respect to the 2^{w} key streams generated in 1. is counted.
3. When the number of times x counted in 2 satisfies the relationship expression below, if the output sequence is not a random number it is rejected. Here, μ represents an average value, and σ represents a standard deviation.μ−x>ρ/2
Thus, in the present experiment, when the relationship expression:2^{w−1}−x>½·(2^{w−1}−2^{w−2})^{−½}is satisfied, if the output sequence is not a random number it is rejected.
4. Given 100 independent cases of the group of 2^{w} secret keys given by 1, 1 to 3 are repeated and the rejection rate is obtained.
According to FIG. 11 in which the experiment results are shown in a table, when 2^{28} items of data are given, the rejection rate is 85%, and compared to the rejection rate of random numbers, an advantage of 50% or greater was obtained.
Thus, according to the Attack Technique when Expression (4) is the distinguisher, with regard to the output sequence of GGHN(8, 32), by using key streams of approximately 2^{30} words, it was experimentally confirmed that it is possible to distinguish a true random number sequence with a very high probability.
In this way, in the output sequences of the conventional GGHN(8, 32), by the Attack Technique when Expression (4){lsb(O1)=lsb(O2)}is the distinguisher, the key stream can be distinguished with respect to true random number sequence with a high probability, and there is a problem in that security is low.
The present invention has been made by the inventors based on a recognition of the abovementioned problems, and an object thereof is the provision of an encryption device, a program, and a method with high security for keeping data confidential.
In order to solve one or more of the abovementioned problems the invention disclosed in the present application is composed as in the following outline.
The present invention proposes measures having resistance to analysis methods as in the abovementioned problems. Furthermore, in implementations of the measures, consideration has been given so as not to damage ability to make implementations nor security as asserted by encryption designers.
According to one aspect of the present invention, there is provided an encryption device which generates a pseudo-random number sequence based on a secret key and applies the pseudo-random number sequence to a plain text so as to generate an encrypted text, wherein, using an internal state in accordance with a state based on a permutation of a sequence of a finite number of numeric values, as an internal state used for generation of the pseudo-random number sequence,
a predetermined leftward or rightward rotate shift, depending on a number smaller than an internal state number, based on the result of linear or non-linear, or combination of linear and non-linear using one or more numeric values of the internal state is executed and at least one temporary variable used for generation of the pseudo-random number sequence is set to be a temporary variable having as a value a result of the execution of the predetermined leftward or rightward rotate shift, and
the pseudo-random number is generated by a predetermined prescribed operation on one or a plurality of numeric values of the internal state and the temporary variable.
In the present invention, for an internal state in accordance with a state based on a permutation of the sequence of the finite number of numeric values, updating of the internal state may be performed using a linear operation and a non-linear operation outside of permutation.
The present invention may be configured such that, for an internal state in accordance with a state based on a permutation of the sequence of the finite number of numeric values, in updating of the internal state, the number of states with respect to the internal state increases monotonically, by using a linear operation and a non-linear operation outside of permutation. Or, the invention may be such that the number of states with respect to the internal state decreases monotonically.
The present invention may be configured such that, for an internal state in accordance with a state based on a permutation of the sequence of the finite number of numeric values, in updating of the internal state, by using a linear operation and a non-linear operation outside of permutation, the number of states with respect to the internal state is oscillated.
The present invention may be configured such that updating of the internal state is performed for each output of the pseudo-random number sequence. Or, the invention may be such that this is performed more times than the outputs of the pseudo-random number sequence. Or, the invention may be such that this is performed fewer times than the outputs of the pseudo-random number sequence.
The present invention may be configured such that the direction and/or numerical value (shift number) of the rotate shift may be dynamically changed depending on a numerical value of the internal state.
The present invention may be configured such that the direction and numerical value (shift number) of the rotate shift may be changed according to a value of a pre-determined table.
A device according to another aspect of the present invention is provided with a first processing unit (KSA) that, as an internal state used for generation of the pseudo-random number sequence,
creates an initial state of the array S, by mixing elements of an array S by repeating permutation of and arithmetic addition of the elements of the array S and, at this time, obtains an initial value of an internal variable k that is the temporary variable, from the elements of the array S; and
a second processing unit (PRGA) that, when generating the pseudo-random number (referred below to as “key stream”),
updates the value of the internal variable k with a value obtained by performing a rotate shift operation on a result of addition of the internal variable k and an element S[j] of the array S related to first and second index variables i and j,
outputs a key stream, based on a result of addition of the internal variable k and a reference result S[(S[i]+S[j])] of the array S according to S[i]+S[j], and updates the element S[(S[i]+S[j])] of the array S referred to in order to generate the key stream, using the array element S[i] and the internal variable k immediately, after output of the key stream.
A device according to another aspect of the present invention is provided with a first processing unit (KSA) that, as an internal state used for generation of the pseudo-random number sequence,
creates an initial state of the array S, by mixing elements of an array S by repeating permutation of and arithmetic addition of the elements of the array S, and, at this time, obtains an initial value of an internal variable k that is the temporary variable, from the elements of the array S; and
a second processing unit (PRGA) that updates a value of the second index variable j, based on a result of an arithmetic addition of a value obtained by performing a first shift number of rotate shift operations on an array element S[i] of a first index variable i, and a second index variable j,
updates a value of the internal variable k, based on a result of an arithmetic addition of a value obtained by performing a second shift number of rotate shift operations on an array element S[j] of a second index variable j, and an internal variable k,
outputs a key stream, based on a result of an arithmetic addition of a value obtained by performing a third shift number of rotate shift operations on the array element S[(S[i]+S[j])] according to S[i]+S[j], and
updates the array element S[(S[i]+S[j])] referred to in order to generate the key stream, using the array element S[i] and the internal variable k immediately after output of the key stream.
The present invention may be configured to be provided with
a first processing unit (KSA) that, using an initially set array a, performs permutation and mixing of the array a,
obtains an internal variable k that is the temporary variable, by performing arithmetic addition of a corresponding array element a that has undergone a rotate shift operation, and
obtains an array S as an internal state used for generation of the pseudo-random number sequence, by a prescribed operation on elements of the array a that have undergone a rotate shift operation and elements of the array S; and
a second processing unit (PRGA) that performs an arithmetic addition of an internal variable k and a reference result S[j] of the array S related to first and second index variables i and j,
outputs a key stream, based on the internal variable k and a reference result of the array S according to S[i]+S[j], and
updates entries of S referred to in order to generate the key stream, using the internal variable k, immediately after output of the key stream. The abovementioned first processing unit (KSA) and the second processing unit (PRGA) may be implemented as a computer program (software).
Furthermore, in the present invention, there is provided a method of generating a pseudo-random number sequence using a computer, the method comprising:
using an internal state in accordance with a state based on a permutation of a sequence of a finite number of numeric values, as an internal state used for generation of the pseudo-random number sequence;
executing a predetermined leftward or rightward rotate shift, depending on a number smaller than an internal state number, based on the result of linear or non-linear, or combination of linear and non-linear using one or more numeric values of the internal state and setting at least one temporary variable used for generation of the pseudo-random number sequence to be a temporary variable having as a value a result of the execution of the predetermined leftward or rightward rotate shift; and
generating the pseudo-random number by a predetermined prescribed operation on one or a plurality of numeric values of the internal state and the temporary variable. According to the present invention, a method including each process of the abovementioned first processor (KSA) and the second processor (PRGA) is provided.
According to the present invention, it is possible to make construction of a distinguisher for GGHN(n, m) difficult, and to avoid deterioration of speed capability possessed by the GGHN(n, m). As a result, the present invention can provide an encryption device with high security for keeping data confidential when communicating or storing the data.
Still other features and advantages of the present invention will become readily apparent to those skilled in this art from the following detailed description in conjunction with the accompanying drawings wherein only exemplary embodiments of the invention are shown and described, simply by way of illustration of the best mode contemplated of carrying out this invention. As will be realized, the invention is capable of other and different embodiments, and its several details are capable of modifications in various obvious respects, all without departing from the invention. Accordingly, the drawing and description are to be regarded as illustrative in nature, and not as restrictive.